Skip to content

YzmCMS V7.1 has a reflective XSS vulnerability #68

Closed
@Hebing123

Description

@Hebing123

Summary

A reflection XSS vulnerability has been found in YzmCMS V7.1. The vulnerability exists in yzmphp/core/class/application.class.php , when logged-in users access to a malicious link, the Cookie will be an attacker to obtain.

Details

We can see that in message.tpl, $gourl is concatenated directly into the meta tag. And there's no filtering.
image
Note that the htmlspecialchars function is already used in the code, but it is not comprehensive.
The developer is trying to filter HTTP_REFERER when gourl is not empty. However, if $gourl is not empty, it will be used directly for output without the htmlspecialchars function, resulting in an XSS attack.
image
We can assign a value via the referer to make the gourl variable not empty.
The final payload is http://your-ip/member/index/login.html?username=123&password=123&referer=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
image

Proof of Concept (POC)

http://your-ip/member/index/login.html?username=123&password=123&referer=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions